软件部署工具是企业用于自动化软件分发、配置管理和系统更新的核心运维组件,攻击者通过滥用此类工具的远程执行和网络访问权限实施横向移动、持久化控制等恶意活动。传统防御手段主要通过审计部署日志、监控异常任务触发、分析进程行为链等方式检测攻击,重点识别未经授权的软件包、非常规时段部署活动及异常系统权限变更。
为规避传统检测机制,攻击者发展出深度利用部署系统原生功能的隐蔽攻击技术,通过任务逻辑混淆和部署节奏控制等手段,将恶意行为嵌入标准运维流程。这些技术突破传统攻击模式,形成与合法操作高度融合的新型攻击范式,显著提升攻击链的隐蔽性和持续性。
现有软件部署工具匿迹技术的核心特征体现在攻击载体的合法化重构与执行环境的深度适配。合法部署流程伪装技术利用标准化部署模板和进程行为模拟,实现攻击链与运维工作流的无缝融合;低频间歇式部署技术则通过时间维度攻击特征稀释和业务场景模仿,规避基于部署节奏的检测规则。两类技术的共性在于充分利用软件部署系统的设计特性和信任机制,通过伪装、分阶段等手法将攻击行为解构为多个合法操作单元,使得传统基于单点异常识别的防御体系难以有效应对。
匿迹技术的演进导致传统基于日志审计和行为规则匹配的检测方法面临失效风险,防御方需构建部署行为基线建模、跨批次任务关联追踪等新型检测能力,同时强化部署系统的权限最小化管控和代码签名验证机制,形成覆盖全生命周期的防御体系。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ❌ |
| 时空释痕 | ✅ |
攻击者通过精确模拟合法部署任务的工作流特征,将恶意代码的执行过程与标准运维操作在进程树结构、资源访问模式、日志记录格式等方面保持高度一致。例如将恶意脚本嵌入数字签名合法的安装程序,或利用部署系统的标准API触发攻击行为,使得安全设备无法通过表面特征区分正常与恶意活动。
低频间歇式部署技术通过延长攻击周期、分散部署节点,将集中式攻击行为转化为长时段、小批量的离散操作。攻击者结合目标企业的业务周期动态调整部署节奏,使单次攻击强度低于检测阈值,同时利用系统固有的版本迭代机制稀释恶意操作的时间关联性。
| ID | Name | Description |
|---|---|---|
| G0050 | APT32 |
APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task.[1] |
| C0018 | C0018 |
During C0018, the threat actors used PDQ Deploy to move AvosLocker and tools across the network.[2] |
| G0034 | Sandworm Team |
Sandworm Team has used the commercially available tool RemoteExec for agentless remote code execution.[3] |
| G0091 | Silence |
Silence has used RAdmin, a remote software tool used to remotely control workstations and ATMs.[4] |
| G0028 | Threat Group-1314 |
Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement.[5] |
| S0041 | Wiper |
It is believed that a patch management system for an anti-virus product commonly installed among targeted companies was used to distribute the Wiper malware.[6] |
| ID | Mitigation | Description |
|---|---|---|
| M1015 | Active Directory Configuration |
Ensure proper system and access isolation for critical network systems through use of group policy. |
| M1033 | Limit Software Installation |
Restrict the use of third-party software suites installed within an enterprise network. |
| M1032 | Multi-factor Authentication |
Ensure proper system and access isolation for critical network systems through use of multi-factor authentication. |
| M1030 | Network Segmentation |
Ensure proper system isolation for critical network systems through use of firewalls. |
| M1027 | Password Policies |
Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. |
| M1026 | Privileged Account Management |
Grant access to application deployment systems only to a limited number of authorized administrators. |
| M1029 | Remote Data Storage |
If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled. |
| M1051 | Update Software |
Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation. |
| M1018 | User Account Management |
Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation. |
| M1017 | User Training |
Have a strict approval policy for use of deployment systems. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Often these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.Perform application deployment at regular times so that irregular deployment activity stands out. Analytic 1 - Look for irregular deployment activity, systems not typically used for deployment suddenly pushing software, abnormal account login activity
|
| DS0009 | Process | Process Creation |
Monitor for newly executed processes that does not correlate to known good software. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems. Note: This query detects the creation of suspicious processes initiated by system or administrative accounts (such as SYSTEM, Admin, or SCCM) that are not typical for those users, and filters the process creation based on unusual patterns. Processes like cmd.exe, powershell.exe, or python executed in this context without an expected parent process or correlation to authorized events should be flagged for investigation. Analytic 1 - Look for unusual software deployment processes, unexpected binaries or scripts, non-standard execution trees
|